There are many topics covered in the report, but we wanted to follow up specifically on the issue of WHOIS access and add data to our previous column Who Is Blocking WHOIS? which covered Registrar denial of their contracted obligation to support Port 43 WHOIS access. Here, we will dig even deeper to reveal specific manipulation of the system. In one of the most egregious examples A Technology Company Inc. has been blocking WHOIS access to their own operational domain, namesystem.com. Try doing a WHOIS look-up of namesystem.com and you will receive the message: Sorry, Domain does not exist in the null system. However, even Internic records that namesystem.com is registered through NameSystem. The odd thing is that all other WHOIS lookups work in whois.namesystem.com, it is just their domain which is hidden completely. ICANN terminated this Registrar the other day and applaud them for it, but they were terminated for non-payment of fees not blocking WHOIS access.

We have in many cases linked Registrar malfeasance and WHOIS obfuscation to spam and illicit pharmacy traffic. Here we provide an excellent example. We pulled a random spam sample from our collection which advertised the site sekudsov[DOT]com which had no content except a link to highmedcenter[DOT]com. Highmedcenter is an illegal pharmacy sponsored by Visesh Infotecnics Ltd. dba signdomains.com, and this is where the investigation ends because Visesh Infotecnics has turned off their WHOIS engine completely. Attempting to perform a look up on Highmedcenter produces this message: "Unable to connect to the specified registry whois.signdomains.com." This has been the case for several days. We have filed a complaint about this with ICANN.

In Belgium last week we presented these dire contractual breaches at the Whois Data Accuracy Study Workshop and pointed out that we need to take a step back to see if it is even possible to get to the WHOIS records before we can even worry about their accuracy.

Is this better or worse than the Registrars who have no look up at all or have buried it so deeply that Indiana Jones would not be able to find it? USA Webhost, Inc. (usawebhost.com), Verza Domain Depot BV (verzadomains.com), Premium Registrations Sweden AB (premiumregistrations.com), VentureDomains, Inc. (upc360.com), The Planet Internet Services, Inc. (theplanet.com), Digitrad France (digitrad.com), New Great Domains, Inc. (newgreatdomains.com), and Porting Access B.V.(portingxs.com) seem to have no web-based WHOIS.

Are these examples better or worse than Alfena, LLC (alfena.com), NetRegistry Pty Ltd. (netregistry.com), and Autica Domain Services Inc. (autica.com) which do not supply a web WHOIS by direct the visitor to some other WHOIS utility at another site?

One may complain that these Registrars are small-scale, possibly understaffed or disorganized, but we cannot say the same for NameScout, Network Solutions, eNom, Dotster, and Moniker/Oversee/Snapnames. What have these large Registrars done to obfuscate WHOIS? They have failed in their contractual obligation to provide bulk access:

"3.3.6 In addition, Registrar shall provide third-party bulk access to the data subject to public access under Subsection 3.3.1 under the following terms and conditions:
...
3.3.6.1 Registrar shall make a complete electronic copy of the data available at least one (1) time per week for download by third parties who have entered into a bulk access agreement with Registrar.
...
3.3.6.2 Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data." (Source)

We asked NameScout about bulk access and they responded: "Unfortunately we don't offer this service."

We asked Network Solutions about bulk access and they responded: "Network Solutions does not sell bulk access to the Whois."

Perhaps eNom, Dotster, and Moniker/Oversee/Snapnames were the smart ones, they did not respond at all. As far as we are concerned they have all failed to comply with their contracts.

What is really interesting is that many of the Registrars mentioned were sitting in the audience of the Whois Data Accuracy Study Workshop and did not refute or respond to anything we presented.

We said it in the session and we will say it again. What we are seeing here is large-scale manipulation of the very fabric of the Internet for the gain of a few at the expense of the rest of us. Registrars large and small are failing to comply with the most basic conditions of their contract and so far this has slipped by ICANN.

By Garth Bruen, Internet Fraud Analyst and Policy Developer. More blog posts from Garth Bruen can also be read here.

Comments

Garth
I think the WHOIS section of the RAA needs to be updated.
The present wording if strictly interpreted, as you obviously do, does not allow for a registrar to rate limit or impose other restrictions to prevent denial of service attacks etc., via their whois server.

I am not the only person who was in the sessions in Brussels who suggested alternatives to "normal" whois eg. authenticated WHOIS

I remember your comment to this effect in the session and don't disagree with you on principle, but it's a red-herring here. I find many Registrars controlling these problems with CAPTCHA on the web WHOIS and limits on the Port 43. However, I am not talking about limited access. I'm talking about ZERO access. Complete denial, total obfuscation.

In the case of namesystem.com I made one query. One. In the case of signdomains.com I made one query. One. I never spoke of limits.

In the case of NameScout, Network Solutions, eNom, Dotster, and Moniker/Oversee/Snapnames I was attempting to enter into just such an agreement as you suggest but was denied in violation of the RAA.

Network Solutions is a respected member of the ICANN community, works closely with law enforcement agencies around the world, and actively participates in APWG and other spam and malware fighting forums. Our bona fides are beyond reproach. Unfortunately, we see that KnujOn has once again cast aspersions without the benefit of educating itself about all of the facts.

In particular, KnujOn alleges that Network Solutions and select other registrars "have failed in their contractual obligation to provide bulk access." This is not an accurate statement. Had KnujOn continued reading the Registrar Accreditation Agreement (RAA), specifically Section 3.3.7 which states:

3.3.7 Registrar's obligations under Subsection 3.3.6 shall remain in effect until the earlier of (a) replacement of this policy with a different ICANN policy, established according to Section 4, governing bulk access to the data subject to public access under Subsection 3.3.1, or (b) demonstration, to the satisfaction of ICANN, that no individual or entity is able to exercise market power with respect to registrations or with respect to registration data used for development of value-added products and services by third parties.

and had KnujOn bothered to confirm with appropriate officials, KnujOn would have learned that registrars formally asked ICANN earlier this year to determine that "no individual or entity is able to exercise market power with respect to registrations," thereby obviating the need for a bulk WHOIS access provision under Section 3.3.6. We are awaiting ICANN's determination, and have put any third party requests for bulk WHOIS access on hold pending that decision.

We did this NOT because we are trying to “obfuscate WHOIS” — in fact, our WHOIS search engine is one of the most heavily used on the Internet -– but because Network Solutions sees the requirement to provide bulk access to our entire WHOIS database as an anachronism that serves no reasonable purpose in today’s competitive marketplace. Requiring all registrars to provide such access for the minimal fee may have made some sense in ICANN’s early days, market conditions have significantly changed since then. Registrars were in agreement with this view during the 2007-2008 negotiations with ICANN to revise the RAA, and this was the impetus for providing ICANN with the authority to make such a market power determination under Section 3.3.7 of the 2009 RAA. Of course, third parties will be welcome to license bulk access to our WHOIS data under reasonable terms once this determination has been made.

As for not refuting or responding to KnujOn’s presentation at the WHOIS Data Accuracy Study Workshop, my Network Solutions colleagues and I had schedule conflicts and were not present in that session. I did, however, attend the Registrar Stakeholder Group face-to-face with the At-Large Advisory Committee (to which KnujOn belongs) later that same afternoon, and thought we had all agreed that better communication and outreach were desired by both groups. We all have to do our jobs, but the sniping and mischaracterizations that have plagued our bilateral relations should remain in the past…

I’m sorry, but nothing you’ve said here changes the facts, actually I think you may have inadvertently confirmed our contentions. The section you said I did not read actually states "Registrar's obligations under Subsection 3.3.6 shall remain in effect until”. The “until” has not happened.

“We are awaiting ICANN's determination, and have put any third party requests for bulk WHOIS access on hold pending that decision.”

We’re all waiting, but until then the Registrar's obligations under Subsection 3.3.6 shall remain in effect and by your admission you are violating the contract. A contractee can pick and choose.

“but because Network Solutions sees the requirement to provide bulk access to our entire WHOIS database as an anachronism”

Your opinion, not in the contract.

“Registrars were in agreement with this view during the 2007-2008 negotiations with ICANN to revise the RAA,”

Ok, so the Registrars agreed but the contract still requires it.

“KnujOn would have learned that registrars formally asked ICANN earlier this year to determine that no individual or entity is able to exercise market power with respect to registrations"

So, this is a request. It’s not policy; it’s not in the contract.

“and had KnujOn bothered to confirm with appropriate officials”

Ah yes, the Ministry of Truth would have set me straight to be sure. Tell me who the “appropriate officials” are and why I have to answer to them. As far as asking, we forwarded the Network Solutions rejection to ICANN compliance and we’re awaiting their response.

This is all a wish list. You are basically saying you don’t like the current contract so you don’t have to abide by it. It doesn't work that way.

"I did, however, attend the Registrar Stakeholder Group face-to-face with the At-Large Advisory Committee (to which KnujOn belongs) later that same afternoon, and thought we had all agreed that better communication and outreach were desired by both groups."

What did we agree to exactly? To not discuss critical issues? We're communicating now, so I'd say it's working just fine. I did try to reach out to Network Solutions, the response is included in the article above.

Fact 1: Registrars are required to supply bulk access under the specified conditions. Fact 2: Network Solutions refused access. The response we received from Network Solutions staff said nothing about shifting contract negotiations or changes in the market; they simply said they don’t sell bulk access, which they are not allowed to refuse.

I suspect that many may have misunderstood what we meant when we said that Network Solutions has “put any third party requests for bulk WHOIS access on hold pending that decision.” Let me be clear: Network Solutions continues to comply with all of its RAA obligations. We do have an internal procedure to vet and process RAA Section 3.3.6 requests for bulk WHOIS data. We continue to modify and improve our process to ensure privacy protection and minimize the possibility of data abuse such as spamming, and to take into account changes in industry practice which may result from ICANN’s determination under Section 3.3.7. It is not our policy to outright deny any requests for bulk WHOIS access, and Network Solutions is not cherry picking the RAA obligations with which we comply.

I also should give credit where it’s due, and thank KnujOn for identifying a glitch in our customer response systems. Our Customer Service team did not have its facts straight about how Network Solutions handles requests for bulk WHOIS access. That misunderstanding has been remedied. Communication is good.

Wishing it were true does not make it trueBob Bruen – Jun 29, 2010 4:50 PM PST

Paul,

You wrote: "KnujOn would have learned that registrars formally asked ICANN earlier this year to determine that "no individual or entity is able to exercise market power with respect to registrations," thereby obviating the need for a bulk WHOIS access provision under Section 3.3.6. We are awaiting ICANN's determination, and have put any third party requests for bulk WHOIS access on hold pending that decision."

According to your own words, ICANN has not made a determination on the registrars' request, therefore the existing contractual requirement is in effect. NetSol has no right to ignore the RAA just because a request to modify has been made. The need for bulk WHOIS access has not been obviated.

Wishing ICANN will grant your request is not the same as having the request granted.

You are confirming what many consumers and abuse-handlers suspect, that front-line staff at Registrars exist to confuse and misdirect. We went through the ordinary contact channels or the sales department in order to TEST for an appropriate response. Why should I have to use secret back-channel contacts to get a correct answer? Your response is troubling.

As per usual you are being intentionally confrontational and will probably try to abuse anything I say for your own end.

Do you speak for all abuse handlers?
Do you speak for all consumers or even a large number of them?
I somehow doubt it, as most of them are reasonable and know which contact point to use when they want to report abuse. (Hint: it's not going to be sales@registrar.tld)

To follow your logic a minimum wage cashier in Tesco would be able to answer the most obtuse question put to them by a member of the public.

The reality, however, is that there are people in registrars who can answer most queries, but if you insist on trying to use 1st line technical support to get answers to ALL of them you will probably be disappointed.

Your inability to constructively engage with registrars and the wider internet community is far more troubling to me than any pathetic attempts you may make to twist my words

I think you are trying to redirect the conversation away from the
original point. No one expects anyone to know everything, but if the
published phone number or email for a registrar is the only contact
point, then that first line of support should be able to answer most
queries. When they cannot, the standard procedure is to escalate the
query the second tier. This has been around for decades as way to handle
queries.

KnujOn has not tried to ask all sorts of questions, just a specific few.
In this case, it was how does one get access to bulk whois data. This is
not an outlandish question. In the world of bulk zone file data, it is
quite common for a link to the procedure for obtaining the data to be
posted on the web. The click usually leads to a procedure or a request
form. There is no reason why a registrar cannot to the same thing for
bulk whois data.

Your suggestion that KnujOn is unable to constructively engage with
registrars is not actually true. KnujOn has engaged with some registrars
quite well. Those registrars who are experiencing difficulty with KnujOn
are a small number and are being defensive when criticized. I am not
aware of too many people who are beyond criticism. KnujOn's criticisms
are well researched before they are made public and the registrars have
a chance to deal with them before they become public.

It would be more helpful if you would lighten up on the defensive
posture you have taken to engage in serious dialog. As one possibility,
you could point out a mistake made in the report. So far, several
registrars have complained loudly, but not one has said where a error
was made.

I have been watching what you hope to accomplish in your efforts with Knujon, and it seems like it is well intended, to reduce spam and increase accountability. I'd like to see you have more success.

Towards that outcome, I'd like to offer some unsolicited advise that I really think you could benefit from.

Over the course of man years, and watching the confrontational and abrasive manner in which the conversations start, I think that there is a lot of wasted energy that could be directed at your primary objectives (unless the objective is to rattle cages for the sake of rattling cages) if a different tact were taken in contacting registrars.

I might suggest leveraging the time honored philosophy of 'you catch more bears with honey than with vinegar (or in your case a tazer)' when opening into dialog with the registrars.

People react entirely differently when thrust into a defensive role, and I really have a strong sense that you are alienating those who could be allies by the public floggings and/or reputation taint and confrontational approach used.

Not all registrars are alike, but most all are reasonable and willing to help, especially when there is mutual benefit to it.

There are good actors and bad actors out there in any industry. Folks like Michele and Paul who you have taken the time to respond in the comments here are very reasonable people who are very active in the community and work very hard volunteering their time to improve the industry.

Perhaps start with that common bond and grow it.

Just an unsolicited opinion, but I hope it sinks in to perhaps take an authentic look at the approach and be open to trying something a little different.

I'd like to see you thrive in what you're doing and I really see the current approach in your way.

I really can't see why a registrar that sets itself up to facilitate criminal activity is going to behave better with a less abrasive approach. And my experience of ICANN has been that the people who get most attention are the ones that make most noise.

As people said to me after SiteFinder, "we have been worried about the IPR holders for years, but now we suddenly have to worry about the registrars". Which was kind of the point. Before sitefinder ICANN blocked all and every product development that might upset the IPR lobby and lead to a lawsuit.

Sometimes when you are dealing with an inert bureaucracy you have to be prepared to upset a few people to break through inertia.

ICANN will do whatever is in ICANN's interest, not what is in the interest of people who are nicest to them. Anyone who wants ICANN to take some action is best advised to make it in ICANN's interest to take that action.

I hear what you are saying, and I understand where you are coming from, but it’s off track. In your analysis of bears and honey there are some flawed assumptions. The first assumption is that we are trying to “catch a bear,” supposedly meaning that Registrars have something we want. They don’t. The idea that we are trying to get something beyond their regular obligations is false. We are simply establishing a baseline of obligations and compliance, which leads me to the second assumption.

The “honey” comparison is troubling because it seems to suggest that Registrars can be sweet-talked, cajoled, influenced, coerced, bribed, enticed, coaxed, seduced, lured (or whatever the appropriate euphemism is) into complying with their contracts and not sponsoring illicit traffic. It is pretty cynical to suggest that “less abrasive approach”, as Phillip says, is what is required to get someone to do what it is already required.

You wanted us to contact the Registrars “differently.” In two cases cited here we contacted them directly and one question was answered incorrectly by the Registrar’s own admission and the other was completely missed by the Registrar. The dialog, as you say, was preempted.

And, I’m sorry to have to call you out, but you’re asking me here to be kinder and softer but elsewhere you’re talking about silencing us and hoping we get sued. Now, I have recorded a long trail of Registrars and certain ICANN staff trying to silence us which I do not think will help change any perception of distrust for any specific registrars.

Request some time at the next Stakeholder Group MeetingJothan Frakes – Jul 12, 2010 2:10 PM PST

>"Differently"

One might reach out to the chair of the Registrar Stakeholder group and request some time on their agenda in the next meeting to make a brief presentation about the problem you're trying to solve, and request help in the form of points of contact to coordinate and validate findings against, for example.

I wouldn't even call that honey. More like just a wise first step.

Honey might be to suggest that the top participants will receive credit for their aid and a joint press release about their help in making the internet safer or less spammy.

I'd really have encouraged this from the start, but perhaps it would be worthwhile to understand why people are only cooperating to the letter as opposed to being graciously helpful.

I've witnessed the gracious start program have success frequently. There are good people there with a willingness to help.

You might need to start with some apologies and some humility as you approach to help evolve past some of the visceral reactions that putting many of them on the defensive has earned.

The stakeholder group are a number of registrars who work very hard to overcome the broad painted strokes of a small handfull of bad actor registrars. The group strives to improve things and they would probably be more cooperative, especially if given the chance in such a forum.

Thank you. We appreciate advice, solicited or not. In the same vein as it was offered, I would like to point out a couple of things. First, it has been our experience that registrars and search engine folks do not respond unless pushed. We have over the years contacted numerous organizations trying to get improvements, with little success. We are not sure what the "honey" approach would be. We have almost always had success with the publication of a report. We found this approach through trial and error while seeking a method that would work.

The "taser" approach is really just making the truth public and those who are unhappy with what is made public only say they are unhappy. No one has yet to demonstrate that we were wrong. On occasion, someone will offer a substitute for what the are supposed to do, but it is a rare event that they show us to outright wrong.

We have said for years that we would be happy to have a true dialogue with the registrar industry and we still feel that way. We have published work that shows that the real bad actors are a very small subset of the overall industry, however much of the industry is sloppy and does not want to hear about fixing any problems.

What they do not seem to understand is that we are a kind of first wave, to be followed by regulators from government and industry. How much they will push the registrar industry will be determined by what happens now. The transition period that we are all in now is normal for industries that have been allowed to grow unfettered until they reached a certain size and maturity. Just look at the history of TV, radio, telephones, etc. if you are not sure what I mean.

Our goal is to have transparency, stability and security of the Internet, as well as those who are responsible for the various pieces. A number of registrars have decided they want the same thing. A smaller number are criminals who don't care and there is bunch in the middle who are complaining about having to shore up their operations.

We have offered registrars the opportunity to listen to us and fix problems. We have offered to help them do it. We continue to offer this.

We have read your recent report with interest and appreciate your efforts to strengthen Internet security in general and contractual compliance of registrars specifically. We were however amazed to find our own name among those registrars listed as being in potential breach. We have therefore carefully analyzed the report for potential issues regarding the issues reported in your report, but have found the cause of our mention was only bad research or conjecture. We object to the depiction of Key-Systems GmbH as registrar potentially in breach.

The listing in your report states:

Key-Systems GmbH (key-systems.net) : RAA 3.3.1,3.7.5.6, 3.7.5.15

These findings are false and the inclusion of such data casts doubt on the general quality of your research. We appreciate that you are most likely not used to scientific research and your report can be considered more or less of an amateurish fact-finding mission with noble intent, but insufficient execution:

Lets get into more detail with the cited "possible violations":

a) RAA 3.3.1:
Contrary to your conjecture, Key-Systems does provide easy and unlimited access to our whois records at the address whois.rrpproxy.net. In your „analysis“ you base your assumption of potential breach simply on the fact that you received no response to an email sent to our contact address. You neglected to pursue any of the more obvious research paths, such as conducting a whois search on one of our domain names (such as Key-Systems.net) on Internic.net, where the whois server is prominently displayed, or trying again, or maybe calling. The only basis for the accusation seems to be that you were not able to find it (sloppy research) and did not receive an answer to an allegedly sent email. This is sloppy research at best.

b) RAA 3.7.5.6:
The text for this entry, „reporter commented that...“, suggests that you did not even bother to check for yourself. Had you done so, you would have seen that our prices and policies on our retail platform domaindiscount24.net can be reviewed at any stage of the registration process by accessing the corresponding links on the site. The site is structured logically and all information is available with easy access. We list all prices involved with the registration, as well as restoration fees, clearly on our site. No information or costs are hidden.
Our terms and conditions detail all aspects of rights and obligations of a domain owner at any time of the registration. Your opinion of what constitutes a clear pricing policy may be different from ours, but we do believe we are in contractual compliance. While we appreciate any constructive criticism on how to improve our presentation of this data and continually strive to meet customer demand, the mere statement that that fee policies were not clear without any substantiation does not hold water.

c) RAA 3.7.5.15
Funnily enough, the RAA does not contain a clause 3.7.5.15. You are therefore accusing us of violating an obligation that does not even exist.

We kindly request that you update your "audit report" to reflect facts, not conjecture, and remove all factually incorrect statements. We further request that you use the same diligence in distributing the updated version of your report that you employed with the current version, and inform all recipients of said version of the incorrect content.

To reiterate, we appreciate your efforts and intentions, but judging from the results we have seen, your methods are questionable, unscientific and the results are therefore in question. You would have served your purpose better by doing proper research instead of publishing this paper as it is.

I do not think you should be amazed to find Key-Systems in such a report considering your sponsorship of illicit pharmacy domains, especially the GlavMed network which will be detailed in another posting. Because of length and time constraints before ICANN Brussels we had to drop sections of the report that detailed the GlavMed domains Key-Systems supports, but it will included in any new version or revision.

Now, in specific reference to your complaints. In trying to contact Key-Systems we used the contact email “info@key-systems.net”, a copy of that email is below and I will forward you the original copy as well.

“info@key-systems.net” is the contact address listed in the two main ICANN Registrar directories:

http://www.icann.org/en/registrars/accreditation-qualified-list.html

http://www.internic.net/registrars/registrar-269.html

As well as Key-systems own website: http://www.key-systems.net/contact/

I want you to think long and hard about this. You contacted me in the same fashion, by using the generic contact address on KnujOn’s site and I responded. What if I had ignored the email as your staff did?

Next, in general you have completely misunderstood the angle of this report and how the research was conducted (which I’d be happy to attribute to language or cultural differences). There is nothing “scientific” about the method nor does there need to be. Your Registrar domain is “key-systems.net”, as listed in http://www.internic.net/registrars/registrar-269.html, it is not “rrpproxy.net” or “domaindiscount24.net”. So, your website as far as the public knows is “key-systems.net” and if you haven’t posted the correct information about pricing and policy there, you are in violation of the RAA. You say the policies and pricing “can be reviewed at any stage of the registration process by accessing the corresponding links on the site.” You need to make this information available BEFORE anyone attempts to make a purchase.

Attempts to find your port 43 address and policies were based on a potential customer’s viewpoint. Rest assured, I know where your port 43 address is, but the ordinary consumer would not be able to find it without the knowledge and tools I have and not without attempting to contact you directly which we did. The kinds of search calisthenics you suggest in your reply are a completely unreasonable expectation on the consumer.

The bottom line is that you are not monitoring your consumer contacts carefully, this is not sloppy research on my part; this is sloppy management on your part.

The issue over “RAA 3.7.5.15” is simply a typo in the introduction section. If you read the report you will find “F. Registrar Must Display Fees and Deletion Policies (RAA 3.7.5.6/3.7.5.5)” with the correct section clearly noted.

We went to http://www.dd24.net, which redirects to http://www.domaindiscount24.net. I get a different page when I do this. The first time we clicked on a link from key-systems, I got this page. The second (and all subsequent) time we got the Agreement page. The redirected-to page has some pricing, but more of a sales/marketing kind of pricing, from "xxx euros and up and "free 6 month trial." There is still not a clear price list from which sale price will deviate.

we are aware of the problem with the illicit pharmacy domain names and are shutting these domain names down by the dozens every week, usually on the very same day we receive a substantiated complaint. However, you are "trying to redirect the conversation away from the original point", which is the accusation of violation of compliance.

Thank you for providing the original mail. I will find out who treated the mail and why you did not receive an answer. Ordinarily, we take care to respond to such requests in a timely fashion. Regardless of that, assuming a registrar is in violation of the RAA for failure to respond to one (1) message is pure conjecture at best, and libelous at worst.

Regarding your comments regarding the nature of your report: You yourself call your report an audit, without adhering to any proper auditing care and procedure. I will not comment on the report in its entirety, but regarding Key-Systems it is pure conjecture based on sloppy research.

You assume that because our company name is Key-Systems this is also where we conduct business. Had you checked for even a second, you would have found that you cannot register a domain name over Key-Systems. The main site is purely for self-representation and clearly points out where we do conduct our business: We clearly direct our retail customers to domaindiscount24 and our resellers to our reseller platform rrpproxy.net. Our customer will go to either of these webpages as this is where they can actually do business. No pricing or policy information is needed on key-systems.net as no domain can be purchased there.

Regarding navigating domaindiscount24.net: You are familiar with navigation bars? On the left side, click domains, then prices and you will find a list of all prices on one page, easy to reference. Our policies are contained in our terms and conditions, which contain clear deletion policies.

Regarding availability of information before the purchase: How is "at any stage of the registration process by accessing the corresponding links on the site" not before the purchase? Trying to turn words around does not change the facts. The information is there, easy to find, before, during and after the purchase.

Regarding ordinary customers finding port 43: If I am an ordinary customer and try to find the whois for any given domain, I will always use the webbased whois, not port 43, but that is beside the point. We implemented the port 43 whois where it made sense: in our reseller portal, as our resellers will be the ones using the port 43 whois most. If per chance a customer needed port 43, he would also know how to find it: doing a web-based whois check on our main page key-systems.net, which will reveal the port 43 whois address as well:
Domain Name: KEY-SYSTEMS.NET
Registrar: KEY-SYSTEMS GMBH
Whois Server: whois.rrpproxy.net
No special tools are necessary. This is how the "ordinary consumer" behaves.

"we are aware of the problem with the illicit pharmacy domain names and are shutting these domain names down by the dozens every week, "

KnujOn has a good working relationship with LegitScript, which as you may know, is the largest Internet pharmacy tracking service in the world, and is recognized by the organization representing US government pharmacy regulators, which has asked Registrars to accept LegitScript's suspension requests. Would you be willing to have LegitScript forward on a list to you? LegitScript's President just indicated that they have several hundred rogue Internet pharmacies with Key-Systems, but I understand that LegitScript always does a full re-confirmation of these websites' illicit content before requesting suspension, so they would want to do a full check next week and then send you the list. LegitScript works closely with GoDaddy, Directi and other Registrars, and I know that they'd welcome the opportunity to strengthen communication with you as well.

Garth,we have been working with them already,Volker Greimann – Jul 02, 2010 9:23 AM PST

Garth,

we have been working with them already, however we understand they are a private lobbyist organization not sponsored or duly authorized by any official government agency. Maybe thats a European worldview, but we view such unsponsored lobbyist organizations with caution and will doublecheck any information we received from them as we cannot be sure of their real agenda. We have researched them as well and not all information we found was positive or supportive (see: http://online-pharmacy-and-prescription-drug-review.com/legitscript-not-so-legit).

As we also need to consider registrant rights, we need to consider each complaint on its own merits. Providing lists of domain names without substantiation does not qualify as sufficient evidence for us to deactivate a domain name.

To be sure to be understood correctly: We will deactivate a domain name in the following cases:
a) customer request,
b) court order,
c) request by a duly authorized government agency,
d) clear and ovious violations of the law,
e) violation of our own terms and conditions.

As I said, we have deactivated domain names at their request before, in cases where they presented us with substantiated complaints, and we will continue to do so in the future.

I just sent you an email with more detail about this, but thought I'd post a public clarification and correction so that Registrars understand who LegitScript is (and what we are not).

LegitScript is NOT a private lobbyist group (we aren't a lobbying group at all). We're also not a trade organization. We are not "representing" any third party, especially in the context of providing notifications to Registrars about illicit "rogue" Internet pharmacies. Indeed, we specifically do not take any money from pharmacies at all. Our verification program is free and the sole criteria is legitimacy under the laws of the countries where the website in question dispenses prescription drugs.

In terms of what LegitScript’s mission is, our clients include companies like Google that need to better understand which prescription drug websites are legitimate and which are not; we also assist organizations such as the NABP with Internet pharmacy reviews and verifications. We also perform market and investigative research, including in the intellectual property area. However, we specifically do not accept money from pharmacies for verification purposes. Since we have the world’s largest pharmacy website monitoring program, we think it’s important to work with Registrars to help identify websites that pose a direct risk to Internet users’ health.

And, it is incorrect to state that LegitScript doesn’t have authorization or recognition from government authorities or the organizations that represent them in this capacity. We do, in fact. In the US, pharmacies are licensed by State Boards of Pharmacy, which are state government agencies (there is no federal pharmacy licensure). The organization that represents all of those government agencies (the NABP) has recognized LegitScript’s verification program, and has specifically written several Registrars asking them to accept LegitScript’s notifications of “rogue” Internet pharmacies. Any Registrar who would like to see this official recognition is free to contact us, and we’ll forward it on, or put you in touch with the organization that represents those government agencies to verify this. Moreover, some other governments, such as in Ireland, have referred to us the “appropriate authority” on this issue. See: http://www.irishtimes.com/newspaper/health/2010/0629/1224273546744.html. I would very much encourage any Registrar with questions about this to contact our pharmacy regulators here in the US via the NABP, which is their collective association.

Volker, with respect to the blog you referred to, I think it would be best for me to refrain from very much comment except to state that that blog is false (and defamatory) and LegitScript is taking appropriate steps under the law to address the issue. Do consider that it comes from an entity that considers us a competitor, and that has approved some Internet pharmacies that LegitScript has identified as “rogue” or “unapproved.”

LegitScript values our recognition from the National Association of Boards of Pharmacy, and is pleased to offer continuing assistance, either formally or informally, to companies such as Google, GoDaddy, Directi, and other Registrars and Internet companies. We are very appreciative of the instances in the past in which Key-Systems has, pursuant to our notifications, verified the illegal nature of a website and suspended the domain name accordingly. However, because there have also been some instances were domain names of verifiably illegal websites (e.g., clearly selling drugs without a prescription) were not suspended, we would welcome the opportunity to provide any additional assistance that Key-Systems might find useful to that end.

Finally, I would encourage Key-Systems and any other interested Registrar to consider LegitScript a resource in this regard, and also to approach us directly with any questions about our mission, personnel or structure that you may have. Unregulated prescription drugs, including those sold without a valid prescription, can pose a significant health risk to individuals, regardless of the country where the Registrar is located, and it is unfortunately true that criminal elements seek out "safe haven" Registrars where they hope to operate unimpeded. We recognize and appreciate that most Registrars do not want their services to be used that way; respect the important role that Registrars play in keeping the Internet safe; and welcome continued communication in this regard. (Provided, however, that we did want to correct the statements about us above!)

LegitScript is not a government agency, law enforcement entity or regulatory authorityThomas Barrett – Jul 02, 2010 5:06 PM PST

Dear John,

I admire the business model you have developed with LegitScript. In addition, it appears it could be a solid source that registrars could utilize when investigating complaints.

However, the crux of the issue is expressed beautifully by the disclaimer on your website: http://www.legitscript.com/disclaimer, which states: "LegitScript is not a government agency, law enforcement entity or regulatory authority".

best regards,

Tom Barrett
EnCirca
===

Disclaimer from LegitScript.

The information on this website, including information about pharmacy websites, news, data and other information, is based on information from publicly available sources and information obtained by LegitScript, LLC (“LegitScript”). The information is intended solely for the personal use of the website user. LEGITSCRIPT EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, AS TO THE ACCURACY OF ANY THE CONTENT PROVIDED, OR AS TO THE FITNESS OF THE INFORMATION FOR ANY PURPOSE.

Furthermore, LegitScript is not a government agency, law enforcement entity or regulatory authority. Information that a pharmacy website does not meet LegitScript standards should not be taken to mean that a pharmacy or a website, or individuals associated with the pharmacy or the website, have violated any provision of state or federal law, or any state or federal regulation. Additionally, LegitScript makes best efforts to ensure that our information about websites is timely and to re-review websites on a periodic basis; however, LegitScript may not be aware of changes made to a website following our review of that website. Rather, LegitScript simply represents that, at the time that LegitScript reviewed the website, available information indicated that the website met or did not meet our standards as represented on this website.

LegitScript.com does not provide medical advice nor recommendations regarding the use of any medicine, including prescription drugs. We do not request personal information in any unsolicited email correspondence with our customers. LegitScript shall not be liable for any errors, inaccuracies or delays in content, or for any actions taken in reliance thereon. Although LegitScript makes reasonable efforts to verify publicly available information and to obtain reliable content from third parties, LegitScript does not guarantee the accuracy of or endorse the information or opinions given by any third party content provider. LegitScript does not endorse or take responsibility for the content other sites that LegitScript may link to or provide information about.

For those who don’t know GlavMed is a spam-advertized illegal drug-trafficking network that may be affiliated with the notorious RBN. Key-systems sponsors many of their domains including BUY-DRUGS[DOT]ORG which certainly not an “Org.”

We’ve just filed a complaint against BUY-DRUGS[DOT]ORG because it has false WHOIS. The domain owner claims to be in the U.S but has a European-style street address "Drunkcorner str. 12" that does not exist and a phone number with only 8 digits that ends in “23456”. Is Drunkcorner Straße near the ICANN office? Key-systems is required to verify this information now and/or suspend the domain. We will follow up to ensure this happens.

This is just one of the domains in question and includes: easymedforyou[DOT]com, mybuymeds[DOT]com, thecupoverflows[DOT]com, thefastmed[DOT]com, and many others.

We realize that Key-systems has started suspending other illicit pharmacy domains and we hope they will continue by terminating domains like tabletnetputercapsules[DOT]net which may appear suspended to the casual observer but actually redirects to drugplaceclean[DOT]com. The full list I sent to Key-systems contains domains deleted by them recently, let’s continue the clean up on the rest.

But as long as we see Key-Systems pharmacy domains like smartsshealth[DOT]com and arrowstat[DOT]com we’ll keep making the information public.

please realize one thing. We register thousands of domain names on a daily basis. These domains are registered by criminals, through different resellers all the time. The majority of registered domain names are legitimate and it is impossible for us to differentiate between the good and the bad.
We therefore rely on substantiated spam or abuse complaints directed to our abuse team: abuse@key-systems.net. We will review any complaint regarding a domain name, whois complaints and content complaints. If we receive suficient evidence that a domain is indeed obviously illegal, we will take appropriate action.

Please send the list of domain names to the above mentioned address, if possible complete with spam including this name or substantiated evidence and we will take appropriate action.

Regarding the term "sponsoring". This is a legacy terminology, that causes confusion and misapprehension. The term suggests active involvement and support for a domain name whereas the registration process is automated and we do not normally see the domain names we register unless there is a problem.

I second other comments that to increase Internet security is indeed a worthwhile effort, but I take issue when my two of my companies are falsely accused and included in the same report.

You wrote the following:

"No one has yet to demonstrate that we were wrong. On occasion, someone will offer a substitute for what the are supposed to do, but it is a rare event that they show us to outright wrong."

Allow me to demonstrate TWO cases where Knujon were wrong and that I have already brought to your company's attention:

1) Domain-it!, Inc. is NOT in breach of the RAA, despite claims in the Knujon report. The Knujon report wrongly claims that we are in breach of RAA 5.3.1 which refers to "Material Falsification in Registrar Application". Specifically, the Knujon report alleges that we do not exist as a legitimate and verifiable business entity, when in fact we have been registered as a corporation with the State of Ohio for over a decade. Knujon did not perform an effective business search or contact us for advice on the matter.

2) PLISK.com is NOT in breach of the RAA, despite claims in the Knujon report. The Knujon report wrongly claims that PLISK.com is in breach of RAA 3.16 which refers to "Registrar Contact Address Must Be Available on Website". PLISK.com has always provided accurate contact details on its website including a valid email and mailing address. We are not to blame because Knujon failed to perform a thorough review of the small 8 page website or contact us for advice on the matter.

I have been in correspondence with, and tried to resolve my concerns with Garth Bruen who seems to refuse to accept the facts being presented to him. Garth Bruen responded that for #1, Knujon was wrong, but it is the Ohio secretary of state that's at fault due to their search interface. As for #2, he continually demands that we move the contact address and email from our agreement page to our home page. Knujon is wrong and after having been informed of this, they are now demanding we act on their personal opinion, not the RAA that we have always adhered to.

Knujon also wrote the following in CircleID:

"KnujOn's criticisms are well researched before they are made public and the registrars have a chance to deal with them before they become public."

This is not true. Based on the errors we have found, the criticisms are not well researched, and we were never contacted by Knujon before, during, or after publication of this report. I am not aware of any registrar that were give the chance to deal with the allegations before they became public. We were included in the report because of errors in the Knujon research, and without being given the opportunity to correct them. A simple email, letter, phone call or helpdesk submission could have prevented these false allegations.

People are taking note of this report and in the case of criminal activity I'm glad. However, as a result of these errors, our companies have had their names tainted as Registrars that Knujon incorrectly claim to be in breach of the RAA.

We have presented the facts displaying multiple errors in the Knujon's registrar audit report. We have requested that the current report be corrected, re-distributed, and an announcement made to state that we are not in breach of the RAA and that we were listed in the report due to errors in your research. Will Knujon set the record straight for the errors they have made and distributed to the public?

You specifically left out a number of things I told you and you told me. The RAA states: "accurate contact details including a valid email and mailing address." VALID EMAIL, not a form. You are in violation of your contract.

So, now that's out of the way maybe we can talk about viagraprescriptions.co.uk? Which tells it's customers "How to Buy Prescription Viagra Online Without a Prescription", they're sponsored by Domain-It. Oh, they also proclaim: "Good News - if you reside outside of the UK we can also have your genuine Viagra delivered overnight from our extensive network of licensed pharmacies." Which is illegal.

Indeed you told me that we do not display a valid email, and I appreciate your clear cut example of how Knujon accuses registrars of being in violation of the contract without sufficient research and before contacting the registrar for further information. We display a valid email and mailing address on our agreement page which is completely in compliance with the RAA.

I'm curious to see how you address the fact that you once again accused a registrar of being in violation in error. No "potential", no "possible", just an outright public accusation without merit.

What I see is the contact information buried in the site and you claiming that it is compliant. It's like driving around without a license plate in your trunk instead of screwed the bumper and saying "yes I have a license plate" the statement is factually correct but it isn't really compliant.

We can argue all day about the wording but it says the contact information must be on the "website" not in the Registration agreement. When someone goes to your website they expect the information to be present, someone is only going click on the Registration agreement if they are interested in that. If they are trying to contact you about an illicit pharmacy domain like viagraprescriptions.co.uk they're going to want more concrete information. You are obfuscating when you have a "contact us" link without contact information. It's an artful dodge, but still a dodge.

I understand how you see it and you are entitled to your opinion, but that's all it is - an opinion. What I don't agree with is that you have accused us of being in breach of the RAA when you are wrong.

Our license plate is in the back window and if you need to speak to us, just start talking - our window is open.

I think this discussion has reached the end of its usefulness . I look forward to seeing your correction and re-distribution of the Knujon report.

The average consumer should not have to perform serious research to find out your contact information. It should be easily accessible, as required by the RAA. One of the goals of our work is make it easy for the public to find what they need. Having your contact information hidden in an agreement and not in the industry standard Contact Page is not acceptable. I agree with Garth here and I am pretty sure most people would. I cannot figure out why you would not put the information in the Contact Page, there is no upside for you to bury it.

One mistake (with a reason) is not the same as sloppy research. As I said, it is rare event, not a non-existent event. We never claimed perfection. The report is almost 100 pages. A typo or a problem due another party is simply not a basis for condemnation of the whole report.

Registrars were contacted, many of whom, but not all, chose not to respond and are now complaining about missing their chance to respond. The lack of response to a posted email address is a problem unto itself. You have the opportunity now to make corrections.

As we are informed of verifiable errors, we will make corrections, with explanations.

The average consumer can reach us very quickly. Furthermore, even if our contact information was "hidden" or "buried" (which is a matter of opinion), we'd STILL be in compliance with the RAA. For that reason I do not need to argue how nobody has ever complained about not being able to reach us in all these years except perhaps Knujon who didn't bother before including us in their report in error.

I believe that there are some benefits to your report, but can you also concede that two of my registrars were included in error and that you should correct and re-distribute the report based on that new information?

As for your comment that "Registrars were contacted", I disagree with that point because we were not contacted at either of the two registrars that I wrote to you about.

Volker wrote:
"we are aware of the problem with the illicit pharmacy domain names and are
shutting these domain names down by the dozens every week, usually on the
very same day we receive a substantiated complaint. However, you are
"trying to redirect the conversation away from the original point", which
is the accusation of violation of compliance."

Bob responds:
We are happy that you are handling the illicit pharmacy problem. This is not
redirection of anything. A substantial part of the report dealt with illicit
pharmacies. The non-compliance issue also was a large part of the report.

Volker wrote:
"Thank you for providing the original mail. I will find out who treated the
mail and why you did not receive an answer. Ordinarily, we take care to
respond to such requests in a timely fashion. Regardless of that, assuming
a registrar is in violation of the RAA for failure to respond to one (1)
message is pure conjecture at best, and libelous at worst."

Bob responds:
Thank your taking care of the email issue. The failure to respond to an email
is not the basis of our complaints. It is a problem, however.

Volker wrote:
"Regarding your comments regarding the nature of your report: You yourself
call your report an audit, without adhering to any proper auditing care and
procedure. I will not comment on the report in its entirety, but regarding
Key-Systems it is pure conjecture based on sloppy research."

Bob responds:
The report is an audit. We looked at the RAA and we looked the registrars'
compliance. If you would like to present proper auditing care and procedure, which we did not follow, we will happy to look at. You are still accusing us of sloppy research and, now, pure conjecture, without substantiation. Not liking what we said is not enough.

Volker wrote:
"You assume that because our company name is Key-Systems this is also where
we conduct business…

Bob responds:
Help me out here. Isn't Key-Systems registered as the registrar with ICANN? If
not, then you may be right. Otherwise, the RAA says you need to post certain
information there. Your statement that you do not sell domains there is not
relevant, unless you can show where the RAA says that.

Volker wrote:
"Regarding navigating domaindiscount24.net: You are familiar with
navigation bars? On the left side, click domains, then prices"

Bob responds:
Yes, eventually, after 5 pages, I found the pricing. How does that maze qualify as easily accessible?

Volker wrote:
"Regarding ordinary customers finding port 43: If I am an ordinary customer
and try to find the whois for any given domain, I will always use the
webbased whois, not port 43, but that is beside the point."

Bob responds:
I am at a loss as to how to respond to such a statement. How can you possibly
generalize that particular behaviour of an ordinary customer using the word "always", especially when I know it is not true? Port 43 access is not beside the point, it is a requirement, not a choice. You are out of compliance here.

RE: Request some time at the next Stakeholder Group MeetingBob Bruen – Jul 12, 2010 4:03 PM PST

Hi Jothan,

As an FYI, I spoke with Maison Cole from the Registrar Constituency while at ICANN in Brussels. We have been in contact since then. The discussions have been civilized with the intent of opening up a real dialogue.

I am hoping we get some time at their meeting at the December ICANN meeting in Cartagena. I think that it is fair that we make ourselves available in public to directly answer questions, as well as discuss what our objectives and expectations are. We are also open to listening and hope to have an productive, cooperative relationship going forward.

re: Request some time at the next Stakeholder Group MeetingBob Bruen – Jul 23, 2010 9:40 AM PST

Hi Jothan,

I did discuss this with Mason, but several registrars are unwilling to have me appear at the RC meeting in Cartagena. I have asked Volker and Michele if they would be willing to try to change Mason's mind (I understand that he represents the RC when he speaks).

I am asking any registrar to voice an opinion on this. I am having difficulty understanding why an entire industry would be wary of having one guy face them. If the industry is not happy with what we have published, this is their opportunity to say that to my face with their home court advantage. We are willing to talk and I thought they would be willing, as well.

If you want to discuss things with me you have my email address, though I don't recall you actually asking me about Cartagena (though it's quite possible that I didn't see the email in the chaos that is my inbox :) )

1) Require all registries run the thick EPP model thus centralizing the whois in a real "authority".

2) Since registries are required to maintain a complete transaction history, this also makes available a complete, and authoritative (by definition of what the registry is), WHOWAS service. Making this a fee based service is fine, so long as it's cheap enough for most anybody to afford, say $5 per query. DomainTools proves the commercial viability of such a model, and DomainTools errant database would then be replaced by an authoritative one.

3) Disallow Privacy Whois so the whois actually has meaningful data. Even the ICANN data escrow allows Privacy whois. Remind me again why the ICANN Whois Data Escrow program started? It had to do with all those domains I transfered out of RegisterFly since they nefariously changing the whois value ... RegisterFly was stealing it's customers domains byt manipulating the whois values, for which there was, and still is, not authority avialable to prove this is taking place. Espcially at registrars that now use Privacy Whois by DEFAULT.

The issue of registrar run whois is a nightmare at many levels. I suggest until someone has to run one they should thing twice about the motives of registrars. This is not to say I think refusal to run one is right. But having thousands of domainers running scripts trying to harvest the whois info of all domain as fast as they can and as frequently as they can, is an issue folks should ponder. This is why even the thick REGISTRIES block whois queries. A subtle point that is worth pondering.

Accurate functional whois is a critical part of the internet, which is why it should be part of registry operations and not a realtime database sync task of the registrars. Move it all to the registries and disallow Privacy Whois.